In the first part of this series, we covered the threat posed to your business by attacks on your supply chain. In the second, we detailed a number of ways of properly vetting potential suppliers, both obvious and non-obvious. In this third and final part of this series, we will detail a range of tactics you can use to protect yourself in the event of an upstream company being compromised.
Most importantly, insulating yourself against the risk of a supply chain attack must begin as soon as possible—not just after it has already happened. You should have in place response plans that detail the steps to be taken to minimise the damage of vital hardware/software compromise. For example, do you have spare routers laying around of different makes, which can replace vulnerable ones in a pinch? Do you have an idea of alternate software that you can use for business-critical work whilst you wait for the developers of your favourite to issue a vital patch?
As you might have noticed, it is also vital that you know what hardware and software you have and where it is in your business network. Upon hearing of critical vulnerabilities in a piece of equipment, it is vital that you are able to both rapidly assess the attack surface it presents within your own organisation and where the offending tech. can be located for replacement. Similarly with software, you should know what is installed on which devices, and the current software versions—if a vulnerability is found in an old version of a piece of software you use, but which is not present in the version you are currently on, the expense of replacing it unnecessarily is wasted.
Crucially, you must also take steps to protect yourself from malicious individuals who, through the access you have granted them in order to perform their supplied function, can be just as damaging as a malicious insider within your own company. In the previous part of this series we discussed the threat posed by something as innocuous as a catering supplier, and provided the example of HM Prison Service as an example of how far criminals were willing to go to gain a foothold within a target.
There are three solutions to this problem. First, you must implement strict access controls for all external staff, guests and software. This means both digital and physical access controls, and this should follow the Principle of Least Privilege—someone or something should be able to access only those things that are necessary to perform their function, and no more. To return to the example of the caterers, do they really need access to anything beyond the kitchen and food storage?
Secondly, you must have a comprehensive offboarding process in place in the event of the suppliership ending. Do not leave software installed that is not used regularly, and make sure to revoke any access granted. Finally, record comprehensive logs of supplier actions, as this will be vital in post-incident remediation and any legal action that may take place as a result.
